Permit all requests

In this article, we will see how to customize a spring security application to permit or allow all requests and return response according to the accessed URLs.
This article assumes that you know how to configure security in a spring boot application.

Create configuration
Create a configuration class for customizing spring security behavior for handling incoming requests.

This class should
1. extend WebSecurityConfigurerAdapter class residing in org.springframework.security.config.annotation.web.configuration package.

2. Be marked with @Configuration annotation to signify that it is a configuration class.

WebSecurityConfigurerAdapter contains a method configure(HttpSecurity http), with default implementation. This default implementation authenticates all incoming requests with a user name and password.

To allow all incoming requests, we need to override this method in our configuration class as shown below.

@Configuration
public class SecurityConfig extends 
       WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) 
    throws Exception {
    http.
    authorizeRequests().
    anyRequest().
    permitAll();
  }
}

This implementation configures spring security to deny all incoming requests.

In the above method chain,
1. authorizeRequests() instructs spring security to restrict requests based on URL patterns and/or user roles.

2. anyRequest() configures all requests to be authorized irrespective of URL patterns.

3. permitAll() is applied to permit or allow all requests. The requests are not even checked to be originating from a trusted source.
No user name or password is required to access any URL. This is similar to having no security at all and should not be used in production environment.

Spring docs for permitAll() state,

Specify that URLs are allowed by anyone.

Example
Suppose the spring boot web application has a below controller mapped to URL /springapp as shown below

@RestController
public String welcome() {
  return "Application is up and running";
}

If this application is running on port 8080 at URL http://localhost:8080/springapp, you will get below response when this URL is accessed from browser

permit all requests in spring security

If accessed through postman, this URL will return below response

Application is up and running

This shows that we have successfully customized our spring security application to permit all requests received by it.
Hope the article was informative.